CodeStory — agentic threat model
CodeStory operates with high autonomy and deep local system access as an agentic IDE mod, presenting significant risks of arbitrary command execution and source code exfiltration if compromised.
OWASP AIVSS score rationale
| Autonomy of Action | 0.80 | |
| Goal-Driven Planning | 0.80 | |
| Self-Modification | 0.30 | |
| Dynamic Tool Use | 0.90 | |
| Persistent Memory | 0.60 | |
| Contextual Awareness | 0.80 | |
| Dynamic Identity | 0.40 | |
| Multi-Agent Interactions | 0.20 | |
| Non-Determinism | 0.70 | |
| Opacity & Reflexivity | 0.60 |
Scored with the canonical OWASP AIVSS formula (AIVSS calculator reference); agentic risk factors estimated from the agent’s described capabilities.
MAESTRO 7-layer threat model
Per-layer threats for this agent. Layers tagged “not certain from listing” are general, caveated commentary where the public description didn’t pin that layer.
Not certain from the listing — likely utilizes third-party LLMs or local models, exposing the IDE to prompt injection that could manipulate code generation or trigger malicious actions.
Not certain from the listing — likely performs local codebase indexing and RAG, creating risks of codebase poisoning where malicious files or comments influence agent suggestions.
Not certain from the listing — orchestrates file editing and terminal execution tools, presenting high risks of tool misuse or unauthorized command execution if hijacked via prompt injection.
Not certain from the listing — runs locally as a VSCode extension, meaning it operates with the user's local system privileges without default sandboxing, risking host compromise.
Not certain from the listing — unknown if it implements guardrails or audit logs for executed commands, risking a lack of observability into malicious agent actions.
Not certain from the listing — closed-source nature limits verification of telemetry privacy, data handling compliance, or code exfiltration protections.
Not certain from the listing — primarily operates standalone within the IDE, but could interact with external package registries, risking dependency confusion or supply chain attacks.
MAESTRO — the 7-layer agentic threat-modeling framework (Cloud Security Alliance / Ken Huang).